[原文]VMware ESX Server 2.0.x before 2.0.2 and 2.x before 2.5.2 patch 4 stores authentication credentials in base 64 encoded format in the vmware.mui.kid and vmware.mui.sid cookies, which allows attackers to gain privileges by obtaining the cookies using attacks such as cross-site scripting (CVE-2005-3619).

VMware Security Advisory - Three vulnerabilities have been addressed in VMWare ESX.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2006-0004
Synopsis: Cross site scripting vulnerability and other fixes
Knowledge base URL:http://kb.vmware.com/kb/2118366
Issue date: 2006-07-27
Updated on: 2006-07-27
CVE Names: CVE-2005-3618 CVE-2005-3620 CVE-2006-2481
- -------------------------------------------------------------------
1. Summary:
Several security issues affecting ESX 2.5.x
VMware has rated this as a Priority 1 security issue according to
Vmware's Security Response Policy. See
http://www.vmware.com/vmtn/technology/security/security_response.html
2. Relevant releases:
VMware ESX 2.5.3 prior to upgrade patch 2
VMware ESX 2.1.3 prior to upgrade patch 1
VMware ESX 2.0.2 prior to upgrade patch 1
3. Problem description:
The three vulnerabilities have been assigned names by the Common
Vulnerabilities and Exposures (CVE) project, as follows:
CVE-2005-3618: An unauthorized user could potentially construct a
specially crafted URL that may change a known user's password.
CVE-2005-3620: A local user could view potentially sensitive
information.
CVE-2006-2481: If an attacker can gain access to browser cookies
by any mechanism, such as through a cross site scripting attack,
then they could acquire not only the session ID, but the
authentication credentials. NOTE: This issue was fixed in ESX 2.5.3,
ESX 2.5.2 Patch 4, ESX 2.0.2 and later.
4. Solution:
Upgrade to the latest update package for your release of ESX.
http://www.vmware.com/download/esx/
Installing the Update
This update requires you to boot your server into Linux mode to perform
the upgrade. When you are prompted to reboot at the end of the upgrade,
the installer will restart your system to run ESX Server.
1. Power off all virtual machines and shutdown your server.
2. Restart your system.
3. At the LILO Boot Menu, select the linux option. Allow the system
start procedure to complete.
4. Log in as root into the ESX Server service console, in Linux mode.
Make sure your path variable contains /usr/bin:/bin.
5. Download the tar file into a temporary directory under /root on
your ESX service console.
6. Change directories to that temporary directory.
7. Verify the integrity of the package for your version:
# md5sum esx-*-upgrade.tar.gz
The md5 checksum output should match one of the following:
50c3260176c8cc33ad3bc880a20a4656 esx-2.5.3-28065-upgrade.tar.gz
ddb67afe2a48a04fb764af2497d6b75c esx-2.5.3-27728-upgrade.tar.gz
ce112a1d17893fbe5b47dfb011468269 esx-2.1.3-27733-upgrade.tar.gz
7f9b2367bbc54f29586ade0e1e286837 esx-2.0.2-27920-upgrade.tar.gz
8. Extract the compressed tar archive:
# tar -xvzf esx-2.5.3-28065-upgrade.tar.gz
9. Change directories to the newly created directory
# cd esx-2.5.3-28065-upgrade
10. Run the patch installer:
# /usr/bin/perl ./upgrade.pl
Note: Once you start the installation script, do not enter keyboard
escape commands such as Control-C or Control-D. Using escape
commands will interrupt the upgrade procedure and leave your
system partially upgraded.
11. The system updates have now been installed. A reboot prompt displays:
Reboot the server now [y/n]?
This update will not be complete until you reboot the ESX Server. If
you enter N, to indicate that you will not reboot at this time, ESX
Server displays the warning message:
"Please reboot the server manually for this update to take effect.
Update has been terminated unexpectedly."
If you see this message, you must manually reboot the server to complete
the driver update.
12. At the reboot prompt, enter Y to reboot the server.
7. References:
http://www.corsaire.com/
http://www.corsaire.com/advisories/c060512-001.txt
http://www.corsaire.com/advisories/c051114-002.txt
http://www.corsaire.com/advisories/c051114-002.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3618
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2481
http://www.vmware.com/products/esx/
http://www.vmware.com/download/esx/
8. Acknowledgments
VMware would like to thank Stephen de Vries and Martin O'Neal of the
security consultancy Corsaire Limited, <http://www.corsaire.com/>.
9. Contact:
http://www.vmware.com/security
Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFEzrZbLsZLrftG15MRAmhEAKDdG3ivyE1CbJ97Tj5vD1D2LWLJiQCgotYh
9qAHbV4xEJHN0Y0GeIFzR8M=
=lRxp
-----END PGP SIGNATURE-----

-- Corsaire Security Advisory --
Title: VMware ESX Server Password Disclosure in Cookie issue
Date: 12.05.06
Application: VMware ESX prior to 2.5.2 patch 4
VMware ESX prior to 2.0.2
Environment: VMware ESX
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c060512-001
-- Scope --
The aim of this document is to clearly define an issue that exists with
the VMware ESX Server product [1] that will allow a local attacker to
gain access to users' (including root's) passwords under certain
conditions.
-- History --
Discovered: 12.05.06 (Martin O'Neal)
Vendor notified: 19.05.06
Document released: 31.07.06
-- Overview --
VMware ESX Server is described [1] as virtual infrastructure software
for partitioning, consolidating and managing servers in mission-critical
environments.
The software provides a virtualization layer that allows multiple x86
based operating systems to run on the same hardware concurrently. The
ESX Server product differs from other VMware products in that it does
not require a "host" operating system to be provided by the user.
Instead, it uses a custom x86 kernel as the host, along with a
customised Linux operating system as a "console O/S".
VMware ESX Server includes a number of network services and a web
application, called the "VMware Management Interface" that can be used
to perform remote administration of the system.
-- Analysis --
The Management Interface is a traditional web application, which
utilises a session ID contained within two cookies; vmware.mui.kid and
vmware.mui.sid. The Session ID format is proprietary and contains the
user account and password in a simple (recursively) base64 encoded
format.
If an attacker can gain access to the cookies by any mechanism, such as
through a simple cross site scripting attack, then they will acquire not
only the session ID, but the authentication credentials as well.
-- Recommendations --
Upgrade to a version of the VMware ESX product that does not exhibit
this issue.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-2481 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.
-- References --
[1] http://www.vmware.com/products/esx/
-- Revision --
a. Initial release.
b. Minor edits.
c. Released.
-- Distribution --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.
A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com
Copyright 2006 Corsaire Limited. All rights reserved.

-
漏洞信息

-
漏洞描述

-
时间线

公开日期:
2006-07-31

发现日期:
2006-05-12

利用日期:Unknow

解决日期:Unknow

-
解决方案

Upgrade to version 2.5.3 Upgrade Patch 2, 2.1.3 Upgrade Patch 1, 2.0.2 Upgrade Patch 1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

-
不受影响的程序版本

-
漏洞讨论

VMware ESX is prone to multiple information-disclosure vulnerabilities. These issues are due to a design error in the application. The following issues were reported:

1. An information disclosure vulnerability that could disclose the session ID, username, and password if an attacker can access session cookies used by the management interface.

2. An information disclosure vulnerability that could expose authentication credentials to local users on the computer hosting the VMWare ESX Server. This vulnerability occurs because authentication credentials are also handled insecurely by the VMWare ESX management interface.

VMware ESX server versions 2.5.3 P2, 2.1.3 P1, 2.0.2, 2.0.2 P1, and 2.5.2 P4 are reported to be vulnerable; other versions may also be affected.